diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js
index 07d7cb72987b2a..32fd1f322e0a96 100644
--- a/lib/_tls_wrap.js
+++ b/lib/_tls_wrap.js
@@ -505,9 +505,8 @@ TLSSocket.prototype._init = function(socket, wrap) {
   if (process.features.tls_sni &&
       options.isServer &&
       options.SNICallback &&
-      options.server &&
       (options.SNICallback !== SNICallback ||
-       options.server._contexts.length)) {
+       (options.server && options.server._contexts.length))) {
     assert(typeof options.SNICallback === 'function');
     this._SNICallback = options.SNICallback;
     ssl.enableCertCb();
diff --git a/test/parallel/test-tls-socket-snicallback-without-server.js b/test/parallel/test-tls-socket-snicallback-without-server.js
new file mode 100644
index 00000000000000..9d30bc17b96b65
--- /dev/null
+++ b/test/parallel/test-tls-socket-snicallback-without-server.js
@@ -0,0 +1,26 @@
+'use strict';
+
+// This is based on test-tls-securepair-fiftharg.js
+// for the deprecated `tls.createSecurePair()` variant.
+
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const assert = require('assert');
+const tls = require('tls');
+const fixtures = require('../common/fixtures');
+const makeDuplexPair = require('../common/duplexpair');
+
+const { clientSide, serverSide } = makeDuplexPair();
+new tls.TLSSocket(serverSide, {
+  isServer: true,
+  SNICallback: common.mustCall((servername, cb) => {
+    assert.strictEqual(servername, 'www.google.com');
+  })
+});
+
+// captured traffic from browser's request to https://www.google.com
+const sslHello = fixtures.readSync('google_ssl_hello.bin');
+
+clientSide.write(sslHello);